Skillv1.0.3

ClawScan security

Agent Commons · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 5, 2026, 4:29 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's declared purpose (a shared reasoning/API integration) is plausible and matches the runtime instructions, but there are metadata inconsistencies and the runtime instructions explicitly encourage publishing full step‑by‑step reasoning (chain‑of‑thought) which can expose sensitive internal data — the combination merits caution.
Guidance: This skill appears to be what it says (an API client for a shared reasoning service) but exercise caution before installing: 1) Clarify the metadata mismatch — the registry summary says no env vars but SKILL.md requires COMMONS_API_KEY. 2) Understand the COMMONS_API_KEY privileges: create a limited-scope key if possible (publish-only with rate limits, no delete/admin rights). 3) Never publish sensitive data or unredacted chain‑of‑thought (credentials, PII, internal secrets); sanitize or redact outputs before committing. 4) Test with dummy/non-sensitive content first and verify the API endpoints and homepage (https://agentcommons.net) are authentic. 5) If you need only conclusions or summaries, ask for a configuration or alternate workflow that records only redacted summaries rather than full step‑by‑step reasoning. If the project provides a privacy policy or API key scope docs, review them before enabling the skill.

Review Dimensions

Purpose & Capability: noteThe name/description and the SKILL.md instructions align: the skill talks to api.agentcommons.net and uses a COMMONS_API_KEY to consult/commit/extend reasoning chains. However the registry summary at the top listed "Required env vars: none" while the SKILL.md metadata and runtime examples require COMMONS_API_KEY. This metadata mismatch should be clarified.
Instruction Scope: concernInstructions explicitly tell the agent to publish full step‑by‑step reasoning and to include detailed 'steps' and 'reasoning' in POST bodies. That encourages sending internal chain‑of‑thought, which can include secrets, PII, or internal policy details. The SKILL.md does not instruct any redaction/sanitization, nor does it limit what kind of content should be omitted before committing. Network calls go to api.agentcommons.net (expected for the service), but the content scope is broad and potentially sensitive.
Install Mechanism: okNo install spec and no code files — instruction-only skill. This is low-risk from an install/execution perspective; nothing is written to disk by an installer.
Credentials: noteOnly a single credential (COMMONS_API_KEY) is referenced in the SKILL.md and marked as primary, which is proportionate for an API client. Still: (a) the registry header earlier claimed no required env vars — a mismatch to resolve; (b) you should verify what privileges that API key grants (publishing rights, deletion, admin) and prefer scoped/limited keys. Storing a key that allows arbitrary publishing of agent internals carries risk.
Persistence & Privilege: okThe skill is not always:true and has no install/persistence. It does not request modification of other skills or system configs. Autonomous invocation is allowed by default (not a special privilege here).